The invention relates to a device for storing a binary state as it may occur in the field of memories for security applications for example.
Computer systems can make use of processing units as, for example, micro-processors or micro-controllers, often also called CPUs (CPU=Central Processing Units). Such a unit can be located in a data path, to which a number of functional units of a system may be connected to in order to enable data processing. A conventional concept is to use data buses, i.e. defined sets of connection lines, to connect functional entities as, for example multiplexers, ALUs (ALU=Arithmetic Logic Unit), shifters and register files.
In order to provide an example, in the following a register file will be illuminated. A register file serves as an intermediate memory or storage device for address data and payload data, which are participating in a currently processed operation by, for example, a CPU. A register file can therewith also be seen as a clipboard memory. A register file can enable a fast, random and simultaneous access on data, for example, for two ALU operands. Accessing said data can be referring to reading as well as to writing operations, where also simultaneous read and write operations may be carried out.
Register files may provide so-called write back-ports which can e.g. serve to write back intermediate results from ALU processing operations. Moreover, register files may serve for loading or to move out address or payload data from the register file, wherein the reading/writing ports may also serve for communicating with other components of a system outside the CPU data path.
In order to save on energy consumption and chip area, register files are often implemented as so-called multi-port RAMs (RAM=Random Access Memory). In these implementations, sets of bit line connections may connect registers, wherein the functional unit register may be defined as a set of similar one-bit-register cells with the properties provided above. The number of bits, which can be stored in a single data word register, is the so-called bitwidth of the data path. The number of ports corresponds to the maximum number of different accesses which can be carried out on the different registers simultaneously.
Differential power analysis (DPA) is a commonly known method for attacking integrated circuits of security applications, in order to determine confidential information as, for example, passwords or cryptographic keys. For a given program code, respectively given algorithm, statistical methods serve to measure power profiles, respectively determining integrated values on a changing charge across several clock cycles, wherein a correlation between systematic data variation and the corresponding statistical values, allows to conclude on the actually protected information.
One concept to combat DPA is the so-called one-time-pad encryption. In order to prevent DPA, or at least in order to make it more difficult, data which is exchanged between subsystems of an integrated circuit, is encrypted. Here, one-time-pad-encryption is often used for its proven high security. Binary coded clear texts m=(m1, m2, . . . ) are encrypted with keys k=(k1, k2, . . . ) determined from true random sequences (e.g. 1001 1000 1011) according to c=e(k,m)=(k1⊕m1, k2⊕m2, . . . ) i.e., a bit cj of a cipher text c=e(m,k) is determined by an XOR-operation kj⊕mj of the corresponding bits of the key k and the clear text m. Since k⊕k=0 and 0⊕k=k yields kj⊕cj=mj, which is the decryption of c, in order to re-determine clear text m, again using a bit-wise XOR operation. The one-time cryptosystem may use each encryption key only once, since otherwise statistical methods may be used in order to determine information on the clear text.
Another conventional concept is the so-called dual-rail implementation. In order to prevent DPA, integrated circuits are implemented in a way that they provide the same power profile independently from the processed data. In the ideal case power profiles always are identical. For a single rail data path implementation the power profile is not predetermined. Therefore, the temporal power profile, representing the states of the circuit and the respective integrated charges, depends on the nodes, respectively electrical capacities, which change their potential, i.e., for which charge is transferred. Therefore, the power profile has a strong dependency on the temporal variance of the payload data.
Dual rail implementation addresses the problem of variable integral charges, using the so-called dual rail logic. Starting from the conventional single rail logic, in which any bit within the data or signal path has a physical representation of one electrical node k of a circuit, the dual rail logic represents any bit with two nodes k and kq, wherein said bit provides a valid logical value, if k corresponds to the true logical value of the value b of said bit and kq represents the complementary value bq=!b.
The desired invariants of the integrated charges are achieved, by introducing an intermediate or pre-charge state between each two states having valid logical values (b,bq)=(1,0) or (0,1). Within the intermediate or pre-charge state, k as well as kq is charged to the same potential, i.e., representing logically invalid values (1,1) or (0,0). For the precharge state (1,1) a sequence of states could, for example, be
(1,1)→(0,1)→(1,1)→(1,0)→(1,1)→(1,0)→(1,1)→(0,1)→ . . .
For each arbitrary sequence of such states, when transferring from a pre-charge state (1,1)→(b,bq) exactly one node is charged from 1-state to 0-state, and for all states (b,bq)→(1,1) exactly one node is charged from the 0-state to the 1-state, independently from the logical valid value b of the bit. For the intermediate state or pre-charge state (0,0) a similar evaluation can be carried out. Consequently, the integral charges of such state sequences are independent from the sequence of (b,bq) of the logically valid values, for as long as the nodes k and kq have similar electrical capacities. The power profile of the implemented data path does not depend on the temporal variation of the processed data, thus it is DPA resistant.
Other known attacks are the so-called EMA (Electro Magnetic Analysis) and probing (invasive eavesdropping). As mentioned above, the dual rail implementation may help securing significant parts of the address respectively data paths, by introducing neutral circuits in order to prevent short term pulses on signal paths which are evoked by propagation time differences, also called glitches, which may determine another, at least theoretic, DPA risk. Another concept for advancing security maybe secure wiring, where critical signal paths, as for example word lines, are implemented in MOS-gate (MOS=Metal Oxide Semiconductor) polysilicon and “Metal One” in the wiring layer, bit lines may be implemented in “Metal One”, etc. Another technique to combat attacks is to implement the integrated circuits as dense as possible, and use the vertical wiring in order to prevent probing and EMA, e.g. establishing a Faraday cage.
Other concepts are scrambling and interleaving of word or bit lines, as well as distributing them on several paths of RAM/RF cells (RF=Register File), further complicating the assignment of addresses and associated data. In some cases a possibility of randomly introduced bits may help securing the sequence of RAM/RF address respectively accesses on the data within an RAM/RF.